Although PESEL numbers do not constitute sensitive data in contrast to health data or data relating to sexual orientation (at least in accordance with the GDPR definition), this does not change the fact that they require sufficient protection. The protection is required not only within the context of taking care of one’s own PESEL number, but the numbers of others, including the employees or customers of one’s organization.
A penalty imposed by the President of the Personal Data Protection Office for ignoring breaches related to PESEL numbers
The President of the Personal Data Protection Office shares a similar, restrictive approach to all sorts of personal data breaches centered around PESEL numbers. The penalties imposed recently by the President of the Personal Data Protection Office concern scenarios where an organization failed to report a personal data breach to the President of the Personal Data Protection Office despite the fact that the scope of compromised data (data related to the breach) included PESEL numbers. The penalties would not be imposed if the supervisory authority would be properly informed about the incident.
Conclusions
If you send an email to a wrong addressee by mistake, permanently delate, inadvertently make public or cause damage in any other way to the personal data processed during your day-to-day activities and they, by chance, also include a PESEL number, it is essential to inform your supervisor or a person responsible for data protection issues at your organization. Act with urgency, your organization has only 72h to report such breach to the President of the Personal Data Protection Office.